alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Merge pull request #1372 from smallstep/herman/crl-on-http

Browse source
This commit is contained in:
Herman Slatman 2023-05-04 07:31:33 +02:00 committed by GitHub
commit eba93da6d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
ca/ca.go
View file

@ -196,7 +196,11 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
api.Route(r) api.Route(r)
}) })
//Add ACME api endpoints in /acme and /1.0/acme // Mount the CRL to the insecure mux
insecureMux.Get("/crl", api.CRL)
insecureMux.Get("/1.0/crl", api.CRL)
// Add ACME api endpoints in /acme and /1.0/acme
dns := cfg.DNSNames[0] dns := cfg.DNSNames[0]
u, err := url.Parse("https://" + cfg.Address) u, err := url.Parse("https://" + cfg.Address)
if err != nil { if err != nil {
@ -276,6 +280,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
// helpful routine for logging all routes // helpful routine for logging all routes
//dumpRoutes(mux) //dumpRoutes(mux)
//dumpRoutes(insecureMux)
// Add monitoring if configured // Add monitoring if configured
if len(cfg.Monitoring) > 0 { if len(cfg.Monitoring) > 0 {
@ -307,7 +312,7 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
// only start the insecure server if the insecure address is configured // only start the insecure server if the insecure address is configured
// and, currently, also only when it should serve SCEP endpoints. // and, currently, also only when it should serve SCEP endpoints.
if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" { if ca.shouldServeInsecureServer() {
// TODO: instead opt for having a single server.Server but two // TODO: instead opt for having a single server.Server but two
// http.Servers handling the HTTP and HTTPS handler? The latter // http.Servers handling the HTTP and HTTPS handler? The latter
// will probably introduce more complexity in terms of graceful // will probably introduce more complexity in terms of graceful
@ -321,6 +326,23 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
return ca, nil return ca, nil
} }
// shouldServeInsecureServer returns whether or not the insecure
// server should also be started. This is (currently) only the case
// if the insecure address has been configured AND when a SCEP
// provisioner is configured or when a CRL is configured.
func (ca *CA) shouldServeInsecureServer() bool {
switch {
case ca.config.InsecureAddress == "":
return false
case ca.shouldServeSCEPEndpoints():
return true
case ca.config.CRL.IsEnabled():
return true
default:
return false
}
}
// buildContext builds the server base context. // buildContext builds the server base context.
func buildContext(a *authority.Authority, scepAuthority *scep.Authority, acmeDB acme.DB, acmeLinker acme.Linker) context.Context { func buildContext(a *authority.Authority, scepAuthority *scep.Authority, acmeDB acme.DB, acmeLinker acme.Linker) context.Context {
ctx := authority.NewContext(context.Background(), a) ctx := authority.NewContext(context.Background(), a)